Triona's Tech Tips

Businesses and consumers alike find convenience in sharing passwords but doing so is highly risky, as demonstrated by a recent incident concerning wireless carrier Vodafone. Vodafone’s customer database was compromised using login information that was shared among employees. Shared passwords may seem convenient, but if you establish the proper procedures you can do without them while still enabling your people to get the job done.

When employees need network access, the proper thing to do is assign usernames and passwords specific to those employees, then grant or revoke permission to network resources depending on what the employees require for their jobs. Yet I routinely see companies setting up shared passwords. Because these passwords are typically not changed when people leave the company, it widens the potential for unauthorized access. Also, it muddies the audit trail. You should always be able to tell specifically who logged into what and when. It’s vital to establish a process for creating and deleting accounts as employees come and go, as well as mechanisms for altering access to network resources as appropriate. This is especially true if someone has administrative access to networks and servers. If you have an account that is not assigned to a particular person, say for shipping or vendors, you should limit who has access to that account and make sure the password is changed when employee duties are reassigned. Is that inconvenient? Perhaps, but ask Vodafone how inconvenient it was to have a journalist call them up and tell them she had access to their customer database, and imagine the damage if such access was gained by a competitor.

Shared passwords are equally risky for consumers. While it’s a good idea to make sure a trusted individual such as your spouse can access your accounts in an emergency, it is never a good idea to blithely give Aunt Gertrude access to your Facebook account so she can see your kids’ pics. Better for her to get her own account and friend you. It’s not that your family and friends intend to do harm, but a password once shared is a genie out of a bottle, and getting used to sharing passwords trends toward complacency in your computer security mindset. You should take your home computer security as seriously as any company does, if not more so. A company can lose face and revenue, but you can lose your own personal identity.

Don’t forget the rules of strong passwords, and remember they need to be unique on every system and changed on a regular basis. Again, inconvenient? Not when you compare it to the damage control you’d have to do if your company suffers a data breach, or if your individual identity is stolen.

Subscribe free to Tech Tips and receive bonus tips, tricks and product reviews. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

One of the great mysteries of computers is the admin account. In the past computers were standalone; that is, used by only one person. Today’s computers assume multiple people will be using them, even PCs with a single owner. This means having an overriding account to manage the others. Referred to as administrator, owner or root, it has complete control over your computer.

In reality your computer has two account types, administrator and standard (or limited). Limited users don’t have full control; they can’t alter system settings or make other changes. Unfortunately, in a holdover from the standalone days, that often means they can’t do real-world tasks like burning CDs or updating antivirus either. For this reason most folks simply use their computers under the admin account. Indeed, computer stores configure consumers to use the admin account by default. When folks do use multiple accounts (say for themselves and their kids), those accounts often have full administrative rights.

Why is this important? Because every virus and Trojan horse wants admin access. It’s why they will do anything to get you to click on bad links, including trick you into thinking your computer won’t work properly if you don’t. (We’re going to talk more about how to spot fake links in May’s Tech Tip Of The Month.) And some viruses don’t require you to do anything at all. If you browse the wrong Web page and are using an admin account, your computer is, in the vernacular, pwned.

Your best bet is to use limited accounts when you can, administrative ones if you must, and security software to keep tabs on what your computer is doing at all times. To create limited accounts, go to Start, Control Panel, Users and Groups (Windows), or Apple menu, System Preferences, Accounts on a Mac. In my experience Windows Vista limited accounts work better than those in Windows XP, and Mac limited accounts work better than PC ones.

In May we’re going to talk about the dollar figures behind Profiting From Cybercrime. If you have any computer questions click Comments below this article, and don’t forget to subscribe to the email version of Tech Tips for bonus tips and product reviews.